Picon

Looking For Instructions On How To Install on a Mac Mini Server

I have gone through the instructions for UNIX from the link below:


Apple has its own configuration for Apache.  I’m currently running version 2.2.26 on a Mac Mini Server running the latest version of Mavericks.  I tried to find files that contained httpd-2.2.26 and apxs and found none.

I’m really new when it comes to my knowledge of Apache other than making minor modifications in the main apache config file for Phusion Passenger located in /Library/Server/Web/Config/apache2/httpd_server_app.conf. I have also updated the virtual host configuration file to host my Ruby on Rails applications.

Has anyone on this list installed mod_security on a Mac computer?  If so I could use some help.  I have downloaded and unpacked the tar.gz file in ~/Downloads but cannot figure out how to (1) verify if I have satisfied all the prerequisites and (2) execute the following command since I cannot find this folder.

./configure --with-apxs=/path/to/httpd-2.x.y/bin/apxs

I also do not know how to get to my profile for this list.  Which link do I need to use to access my subscription profile?
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Felipe Costa | 18 Nov 14:34 2014

ModSecurity version 2.9.0-RC1 released


Hi,

I am proud to announce our first release candidate for version 2.9.0.
The 2.9.0-RC1 contains fixes and new features.

The documentation is available in our wikipage:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1

SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7

We would like to thank you all that helped out making this release: comments,
bug reports, and pull requests.

The most important changes are listed bellow:

New features
============

* `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
   files as parameter.
* `SecRemoteRules' directive - allows you to specify a HTTPS served file that
  may contain rules in the SecRule format to be loaded into your ModSecurity
  instance.
* `SecRemoteRulesFailAction' directive - allows you to control whenever the
  user wants to Abort or just Warn when there is a problem while downloading
  rules specified with the directive: `SecRemoteRules'.
* `fuzzyHash' operator - allows to match contents using fuzzy hashes.
* `FILES_TMP_CONTENT' collection - make available the content of uploaded
  files.
* InsecureNoCheckCert - option to validate or not a chain of SSL certificates
  on mlogc connections.

Bug fixes
=========

* ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
  [Issue #676 - Kris Kater and ModSecurity team]
* Fixed signature on "status call": ModSecurity is now using the original
  server signature.
  [Issues #702 - Linas and ModSecurity team]
* YAJL version is printed while ModSecurity initialization.
  [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
* Fixed subnet representation using slash notation on the  <at> ipMatch operator.
  [Issue #706 - Walter Hop and ModSecurity team]
* Limited the length of a status call.
  [Issue #714 - 'cpanelkurt' and ModSecurity team]
* Added the missing -P option to nginx regression tests.
  [Issue #720 - Paul Yang]
* Fixed automake scripts to do not use features which will be deprecated in the
  upcoming releases of automake.
  [Issue #760 - ModSecurity team]
* apr-utils's LDFALGS is now considered while building ModSecurity.
  [Issue #782 - Daniel J. Luke]
* IIS installer is not considering IIS 6 as compatible anymore.
  [Issue #790 - ModSecurity team]
* Fixed yajl build script: now looking for the correct header file.
  [Issue #804 - 'rpfilomeno' and ModSecurity team]
* mlgoc is now forced to use TLS 1.x.
  [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

Christian Folini | 18 Nov 11:29 2014
Picon

Getting my feet wet with ModSec on IIS

Hi there,

Recently I touched on a ModSec installation on IIS. This was an
interesting experience. There is very little documentation on practical
ModSec on IIS out there. So I thought I would post some insights here.
I also have two questions, which somebody might know an answer to.

There are four types of logs with ModSec in IIS.

ModSec controlled logfiles:
- debug.log
- audit.log 

IIS controlled logfile:
- Webserverlog - sort of an abbreviated access log

Windows controlled logfile:
- Eventlog - this matches the information ModSec presents in Apache's 
  error log

Now logging is the base to tuning and my method uses the anomaly scores
of every request as a starting point and guideline for the tuning 
process (see a recent blogpost on the topic:
http://www.netnea.com/cms/2014/11/18/summary-of-modsecurity-talk-owasp-ch/)
but I was not able to add the anomaly scores to IIS's version of
the access log. Is there a way to do that?

The Eventlog is helpful. Even more so as you can export it easily,
transform it a bit and you end up with a logfile, which can be handled
by standard unix scripts written to handle Apache's Error-Log.

(A sidenote: It's a good practice to push events into one of the
ModSec event consoles. But this is not how I work.)

Now the problem I encountered with the EventLog was abbreviated events
like the following:

[client 0.0.0.0:00000] ModSecurity: Warning. Pattern match
"(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor
..." at ARGS:formdata. [file "C:\/Program Files/ModSecurity
IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "245"] [id "981243"] [msg "Detects classic SQL injection
probings 2/2"] [data "Matched Data: '1.0' found within ARGS:formdata:
<xxxxPacket version='1.0'><header/><data><struct><var
name='group376'><string>0</string></var><var
name='group375'><string>0</string></var><var
name='group374'><string>0</string></var><var
name='group373'><string>0</string></var><var
name='group570'><string>0</string></var><var
name='group379'><string>0</string></var><var
name='group471'><string>0</string></var><var
name='group470'><string>0</string></var><var
name='group478'><string>0</string></var><var na..."] [severity "CR
[hostname "CHSPSR0350"] [uri
"/security/w_useredit.cfm?id=4145&tab=4"] [unique_id
"16068843472605438573"]

The funny abbreviation occurred in the severity field. CRITICAL is
abbreviated to CR. I do not know what else is missing, but the final
fields of the entry seem to be intact. Puzzled.

Is this a bug, an EventLog characteristic or something that can be 
fixed within the ModSec configuration?

My best bet on logging the anomaly scores is a phase:5 rule and writing
it to the EventLog. Somehow this did not work out. The scores were
0 despite rules having triggered. This means they are initialized but
not available correctly in phase 5. Probably my mistake. But is there a
better to achieve this?

So the two questions again:
 - Best way to log anomaly scores of every request in IIS
 - What to do about event log omissions

Ahoj,

Christian

--

-- 
The art of victory is learned in defeat.
-- Simón Bolívar

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ronald.Ploeger | 18 Nov 08:26 2014
Picon

Where is the raw data of an event stored in auditconsole

Hi,

 

on the events view of auditconsole one has the option to look at the raw ModSecurity data of an event.

 

I was wondering where does auditconsole gets this data from/stores this data?

 

Thanks,

Ronald

 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Abhijit Mitra | 15 Nov 21:12 2014
Picon

log entry getting truncated?

It looks like log entries get truncated? I assume there is a limit to how long they can be, which is fine, but I'd prefer it if ModSecurity wrote a message out somewhere when this happened.

Below is a (sanitized) message block from section H of my audit log, and below that is the corresponding entry to my Apache error log. At the bottom of the audit log entry is this: "[ta" which clearly was beginning of a another [tag] section.

SECTION H, AUDIT LOG:
Message: Warning. Pattern match "(?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" at ARGS:SAMLRequest. [file "/directoryname/mod_security2.d/rules/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "55"] [id "981260"] [rev "2"] [msg "SQL Hex Encoding Identified"] [data "Matched Data: L0x6a0F found within ARGS:SAMLRequest: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovL2Nvbm5leC5jaHViYi5jb20vc2FtbC9zc28iIERlc3RpbmF0aW9uPSJodHRwczovL3BmZWQuY2h1YmIuY29tL2lkcC9TU08uc2FtbDIiIEZvcmNlQXV0aG49ImZhbHNlIiBJRD0iYTQ4ZWg3OTNnYjg1MmoxaTFiODJoNGZhYzRkN2YwMyIgSXNQYXNzaXZlPSJmYWxzZSIgSXNzdWVJbnN0YW50PSIyMDE0LTExLTEyVDE5OjQzOjI3LjcxMFoiIFBy..."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [ta

APACHE ERROR LOG:
[Wed Nov 12 14:43:06 2014] [error] [client ww.xx.yy.zz] ModSecurity: Warning. Pattern match "(?i:(?:\\\\A|[^\\\\d])0x[a-f\\\\d]{3,}[a-f\\\\d]*)+" at ARGS:SAMLRequest. [file "/directoryname/mod_security2.d/rules/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "55"] [id "981260"] [rev "2"] [msg "SQL Hex Encoding Identified"] [data "Matched Data: L0x6a0F found within ARGS:SAMLRequest: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwczovL2Nvbm5leC5jaHViYi5jb20vc2FtbC9zc28iIERlc3RpbmF0aW9uPSJodHRwczovL3BmZWQuY2h1YmIuY29tL2lkcC9TU08uc2FtbDIiIEZvcmNlQXV0aG49ImZhbHNlIiBJRD0iYTQ4ZWg3OTNnYjg1MmoxaTFiODJoNGZhYzRkN2YwMyIgSXNQYXNzaXZlPSJmYWxzZSIgSXNzdWVJbnN0YW50PSIyMDE0LTExLTEyVDE5OjQzOjI3LjcxMFoiIFBy..."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [ta [hostname "host.company.com"] [uri "/contextroot/filename"] [unique_id "randomalphanumericstring"]

--
Abhi Mitra
GSEC, ITIL
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Robert Mark Morley | 15 Nov 18:00 2014

ipMatchFromFile vs RBL performance

Hi all,

I have an IP/CIDR blacklist of over 35,000 entries (over 500KB) and I'm currently using ipMatchFromFile.

At the moment I'm using ipMatchFromFile, but I'm wondering if it would be better to run a local (on the lan) RBL list.

Certainly it would reduce the memory footprint of Apache a bit, but how do they two options compare as far as lookup speed is concerned? 

And on a related note...  when using ipMatchFromFile, will modsecurity notice a change in the data file and reload it automatically or is it necessary to restart apache?

Thanks,

Mark

 
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Winfried Neessen | 13 Nov 17:35 2014

Error parsing rule targets to append variable

Hi everyone,

I just ran into an issue with my mod_sec configuration. I've tried to exclude some
Google Analytics Cookies from being checked for XSS. I have a list of rules which
are all tagged with "Web_Attacks/XSS", so my try was to add this rule to my
exceptions config file:

## Google Analytics cookies shouldn't be blocked
SecRuleUpdateTargetByTag "Web_Attacks/XSS" !REQUEST_COOKIES_NAMES:/^(utm(?:c(?:[im]d|[st]r|c[nt])|gclid))$/

Once active, a "apachectl configtest" results in:
[Thu Nov 13 16:27:35 2014] [error] ModSecurity: Error parsing rule targets to append variable
[Thu Nov 13 16:27:35 2014] [error] ModSecurity: Error parsing rule targets to append variable
[Thu Nov 13 16:27:35 2014] [error] ModSecurity: Error parsing rule targets to append variable
[Thu Nov 13 16:27:35 2014] [error] ModSecurity: Error parsing rule targets to append variable


(For each rule, that is tagged with Web_Attacks/XSS)

Any idea why this is happening or what I am doing wrong?


Thanks
Winni
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ronald.Ploeger | 10 Nov 12:37 2014
Picon

AuditConsole TX:ANOMALY_SCORE is always -1

Hi,

 

I have already tried this question on the AuditConsole Mailinig List, but maybe the audience here is bigger:

 

I am using AuditConsole Version 0.4.6-13 and I am wondering why the TX:ANOMALY_SCORE is always -1.

 

Is there anything I have to configure? Any hint is appreciated.

 

Thanks and best regards,

Ronald

 

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
donnanian | 6 Nov 00:30 2014
Picon

Upgrading ModSecurity

Hello,

I installed mod security from source on my server and I would like to upgrade to the latest version. 

Do I have to uninstall(remove) the previous version first because upgrading to the latest? If so, what would be the best way to uninstall?

Thank you.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christopher Stanley | 5 Nov 18:33 2014
Picon

PCRE Compiled Version less than Loaded Version

Hey,

I am getting a warning about:
[notice] ModSecurity: PCRE compiled version="4.5 "; loaded version="5.0 13-Sep-2004"

What is the best course of action? Should I install PCRE 8? Can PCRE 8 even be compatible with RHEL4?

I just don't see how the loaded version could be greater than the compiled version, unless the loaded version is what ModSecurity was compiled with, and the compiled version is the library that is installed on the system.

Just want to see what your all's suggestion would be on the matter

Thanks again.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ewald Dieterich | 4 Nov 15:36 2014

Rule 960016 leads to 413 instead of 403

I'm using modsecurity 2.8.0 with Apache httpd 2.4.10 and CRS 2.2.9 on 
Debian unstable.

When I send a POST request with an invalid Content-Length header, rule 
960016 triggers as expected. Here's the log entry (it's the only log 
entry created for that request):

[...] ModSecurity: Access denied with code 403 (phase 1). Match of "rx 
^\\\\d+$" against "REQUEST_HEADERS:Content-Length" required. [...] [id 
"960016"] [...]

But other than stated in the log entry, the request leads to a 413 
instead of the expected 403:

$ curl -i -d "param1=value1" -H "Content-Length: a" 
http://localhost/post/show.php
HTTP/1.1 413 Request Entity Too Large
[...]

For testing purposes I removed the regex negation from rule 960016 (note 
the missing ! in front of the regex):

SecRule REQUEST_HEADERS:Content-Length "^\d+$" \

Now every request with a valid Content-Length header is blocked, this 
time with the expected 403:

$ curl -i -d "param1=value1" http://localhost/post/show.php
HTTP/1.1 403 Forbidden

What's so special about the regex negation that the first request is not 
blocked correctly?

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


Gmane